Re: What do we have to do today?

[iang@xxxxxxxxxxxxx]

Uri Blumenthal wrote:
> 
> I raise the question of whether it is wise to allow backward compatibility
> to force us to implement algorithms we wouldn't otherwise.

To which I posited some time in the past:

> We only theoretically have the option to not require it.  The number of
> people using anything other than 2.6 or thereabouts is minute compared
> to the installed base of "classic" PGP.  Any clues on how many copies of
> 5.* have been sold?

To which Gene Hoffman kindly provided some numbers:

> Some quick rough numbers. On the MIT keyservers there are now about 95,000
> new public keys since 5/20. Of them 85% are DSS/DH(El Gamal) keys. Before
> that I beleive that there were ~20K RSA keys...

Now, the number bandied about in documents I have seen indicates that 4
million users of 2.6 and similar exist.  In 6 months of time, PGP Inc
appear to have sold 80k worth of keys.  These are good numbers, I
congratulate them, but at 2% of the user base, they have a long way to
go. 

I know that this group is concentrating on new users, because they are
the only ones who pay for software.  However, I am not sure what
rational there is for a standard that does not take the installed base
as its target audience.  After all, what is standardisation if it is not
taking existing work and hard-won lessons from existing product?

> Lutz Donnerhacke says:........................
...
> >       MD5 is must, because it is the default and backward compatible.
> >       IDEA is must, because it is the default and backward compatible.
> 
> It *was* the default. Do we have to keep the outdated defaults?

I do not see any basis for declaring that default is "outdated" although
my own misgivings on  the whole RSA/IDEA/MD5 thing - see my previous
post - are slowly clarifying, and it took writing this post to get
there.  Ta muchly :-)

-- 
iang                                      systemics.com

FP: 1189 4417 F202 5DBD  5DF3 4FCD 3685 FDDE on pgp.com